Objectives of the Presentation
Why should you Attend
- Use HIPAA required Risk Analysis to help you decide which policies and procedures to develop
- Research before drafting policies and procedures, by asking and answering the right questions, soliciting help and collecting samples
- Draft policies and procedures that comply with HIPAA's requirements, based on sound principles of substance, organization, coherence, style, and correctness
- Revise policies and procedures, including steps of reviewing, incorporating recommended changes and implementing
- Draft required policies under HIPAA
- Decide whether you must draft addressable policies under HIPAA
- Decide what other policies you need to draft that HIPAA doesn't mention but that affect your organization or that may be required by your accreditation organizations and/or recommended by your various professional associations
The majority of the DHHS civil money penalties and settlements in lieu thereof involve, sometimes with other violations, failure to perform a written risk analysis, failure to develop required policies and failure to conduct adequate HIPAA training. These penalties usually are in the seven-figure range.
Failure to conduct a written risk analysis, adopt required policies, or conduct required training qualifies as ‘willful neglect,' which carries the highest civil money penalty (‘CMP') and which penalty cannot be waived by DHHS as can violations due to a reasonable cause. DHHS entered into a settlement with Massachusetts General Hospital for $1 million for a breach involving leaving paper PHI records on a subway. The sanction was because Massachusetts General had not trained its workforce on proper security for PHI taken offsite and did not have a work-at-home policy. Significantly, HIPAA does not even mention working at home; much less specifically require such a policy.
Who will Benefit
- Using HIPAA required Risk Analysis to help you decide which policies and procedures to develop
- Ask questions. Learn why you need to nail down the answers to at least 12 questions before you try to write a policy and how to do so
- Solicit help. Learn whom to solicit help from both within and outside your organization and when and why and how
- Collect samples. Learn what samples to collect and from whom
- Substance. Learn what substance means and how to achieve it
- Organization. Learn how to draft a clear beginning, a clear middle and a clear end
- Coherence. Learn how to connect your ideas so that readers will not have to wonder where something came from or why
- Style. Learn how to write for your target audience as simply and clearly as possible
- Correctness. Learn how to get rid of the static in your writing
- Review. Learn whom to contact to review your drafts
- Incorporate. Learn how to resolve disputes and incorporate changes
- Implement. Learn how to lay out a plan for implementation of the policy, including publishing, distribution, implementing (and perhaps even training the workforce on the policy), and schedule for annual review and revision, if necessary
- Drafting required policies under HIPAA
- Deciding whether you must draft addressable policies under HIPAA
- Deciding what other policies you need to draft that HIPAA doesn't mention but that affect your organization or that may be required by your accreditation organizations and/or recommended by your various professional associations
HIPAA compliance officers, HIPAA Security Officers, HIPAA Privacy Officers, CFOs, CEOs, COOs, CIOs, human resources directors, business office managers, administrators, medical records personnel, health information management professionals, health care attorneys, patient accounts managers, billing services, physicians, dentists, pharmacists, physical and occupational therapists, mental and behavioral health professionals, speech and language pathologists and audiologists, nurses, chiropractors and business associates.
HIPAA requires covered entities and business associates to draft, adopt, and implement policies and procedures for their workforce members to follow and abide by to attain and maintain HIPAA compliance. Some of those policies are required, some are addressable, and some simply fall into the category of "not mentioned anywhere in HIPAA, but you'd better have them." Writing those policies and procedures can be a major burden. The first and often worst part of that burden is deciding which policies you need to draft, adopt, implement and enforce.